CardanoDogecoinAlgorandBitcoinLitecoinBasic Attention TokenBitcoin Cash. More Topics. Animals and PetsAnimeArtCars and Motor VehiclesCrafts. HTTP picoservice. api node rest microservice health-check Ethereum interaction layer by extending vegasbets.online heartbeat connection-pooling ost web3js. Picoservices Public. Migrate to The Red Ether Project Tumblr Progressive Web App built in React and hosted to the decentralized blockchain. DERBY VS FULHAM BETTING EXPERT SPORTS
This Privacy Statement only addresses the collection, use, and disclosure of information by Pico through your interaction with our Services. This Privacy Statement does not address the policies or practices of any third parties, including our Communities, or any third-party websites or features that are linked to or available from our Services.
We have no control over or responsibility for the privacy practices and content of our Communities, linked services or features, or any other third-party services. If you provide any information to our Communities, or any other third parties e. You should contact these entities directly if you have any questions about their privacy practices.
Your Choices 5. If you registered with the Services through your social media account, or connected, linked, or shared your use of our Services via your social media profile, you can manage the permissions granted to such third-party social media services by accessing your member settings under your account. You may choose to opt-out of receiving commercial emails from us by following the instructions contained in any of the commercial e-mails. Please note that even if you unsubscribe from commercial email messages, we may still email you non-commercial transactional emails related to your account and your transactions via the Services.
Also, please allow us 10 business days from when the request was received to complete the removal. If you wish to opt-out of receiving offers directly from our third-party Communities, you can follow the instructions in the emails that they send you. If you are a member based in the EU, we only send you commercial emails when we have obtained your explicit prior opt-in consent, except where we have obtained your e-mail address in the course of a sale or negotiations for a sale of a product or service and where the commercial emails are only marketing similar products or services.
You can disable Cookies at any time by adjusting your browser settings. Browsers are different, so refer to instructions related to your browser to learn about cookie-related and other privacy and security settings that may be available.
Currently, we do not alter our data collection and use practices in response to Do Not Track signals. Subject to applicable law, you have the right to obtain request access to and receive information about the Personal Information we keep about you, receive copies of the Personal Information we keep about you, correct inaccuracies with your Personal Information, object to the processing of your Personal Information, and have your Personal Information blocked, anonymized or deleted, as appropriate.
The right to access Personal Information may be limited by local law requirements. To exercise your rights, please contact us as set forth below. We maintain commercially reasonable security safeguards that are designed to protect the Personal Information we collect against unauthorized use, disclosure, alteration or destruction. While we strive to protect your information, Pico cannot guarantee or warrant that your Personal Information is under absolute security with the existing security technology.
If you have any questions about the security of our Services, you can contact us at [email protected]. We store Personal Information only for as long as it is necessary for the fulfillment of the purpose for which the Personal Information was collected, unless otherwise authorized by applicable law. We have things where initially you get certain pro features and you can keep paying and you can keep using them, or after X amount of time they go away. They want to play around with the whole thing and see, hey, is this actually providing me value?
Do I want to pay for this feature which is nice or this and that plugin or what have you? What are you going to solve today? What are you trying to solve tomorrow? Let us find a way of actually supporting you and invest into a mutual partnership and not just grab the money and run.
We have extremely low churn for, I would say, pretty good reasons. Because this thing about our users, our customers being successful, we do take it extremely seriously. I still am not sure that most people can really contextualize just how much logging fits into 50 gigs of data.
Do you have any, I guess, ballpark examples of what that looks like? Richard: Lord of the Rings is roughly five megabytes. Or some of it, yes, but not all of it. You need better tooling and you need proper tooling. And some of this is more modern. Some of this is where we actually pushed the state of the art. But I, for myself, do claim that we did push the state of the art here. But at the same time you come back to those absolute fundamentals of how humans deal with data.
If you look back basically as far as we have writing—literally years ago, is the oldest writing—humans have always dealt with information with the state of the world in very specific ways. A, is it important enough to even write it down, to even persist it in whatever persistence mechanisms I have at my disposal?
If yes, write a detailed account or record a detailed account of whatever the thing is. So, over time, you optimize towards only taking down key events and only noting key events. Maybe with their interconnections, but fundamentally, the key events. So, you turn them into numbers and you can do actual math on them. Literally, as long as we have written records, this has played out again, and again, and again, and again, for every single field which humans actually cared about.
At different times, like, power networks are way ahead of this, but fundamentally power networks work on metrics, but for transient load spike, and everything, they have logs built into their power measurement devices, but those are only far in between. Of course, the main thing is just metrics, time-series. And you see this again, and again. You also were sysadmin in internet-related all switches have been metrics-based or metrics-first for basically forever, for 20, 30 years.
But that stands to reason. But fundamentally, you have this complete system. Basically profiles or distributed tracing depending on how you view distributed tracing. You can also argue that distributed tracing is key events which are linked to each other. Logs sit firmly in the key event thing and then you turn this into numbers and that is metrics. Mine is pretty well optimized.
And right around of that is various forms of logging and detecting change in the environment. Except that whenever I have to go in and diagnose something or respond to an incident or have some forensic exploration, they then are worth an awful lot. And I am prepared to pay bucks a month for that because the potential value of having that when the time comes is going to be extraordinarily useful. But in some cases, yeah, okay, then crank up the verbosity and then look for it.
Richard: Ish. You could absolutely be optimizing this. You have this one extreme of full-text indexing everything, and you have this other extreme of a data lake—which is just a euphemism of never looking at the data again—to keep storage vendors happy. There is an in between.
But it goes further than just this. You can also turn those logs into metrics. And to me this is a path of optimization. Where previously I logged this and that error. No one cares that this is at this precise time. And again, and again, and again. And all of a sudden, I have literally—and I did the math on this—over But most users, which I see both with my Grafana and with my Prometheus [unintelligible ] tend to start with logs. But then you can leverage on this and instead of having a debug statement, just put a counter.
In two months time, see if it was worth it or if you delete that line and just remove that counter. But it goes beyond this because all of a sudden, if I can turn my logs into metrics properly, I can start rewriting my alerts on those metrics. I can actually persist those metrics and can more aggressively throw my logs away. I mean Black Friday. But we can also talk about deploying on Fridays. But the thing is, you have this huge thing, whereas if you have this as a continuous improvement process, I can just look at, this is the log which is coming out.
I turn this into a number, I start emitting metrics directly, and I see that those numbers match. And so, I can just start—I build new stuff, I put it into a new data format, I actually emit the new data format directly from my code instrumentation, and only then do I start removing the instrumentation for the logs.
Corey: I really want to thank you for spending as much time as you have. Richard: Personal attacks, probably Twitter. For actually tracking, I stopped maintaining my own website. Corey: And we will, of course, put links to that in the [show notes ]. Thanks again for your time. Richard: And thank you.
We help companies fix their AWS bill by making it smaller and less horrifying. We tailor recommendations to your business and we get to the point. Visit duckbillgroup. Announcer: This has been a HumblePod production. Stay humble. Michael has more than 20 years of industry experience in many different roles, including incident response, threat intelligence, offensive security research, and software development at companies like Rapid7, ThreatQuotient, and Mantech.
Prior to joining Sysdig, Michael worked as a Gartner analyst, advising enterprise clients on security operations topics. Corey: Welcome to Screaming in the Cloud. Mike, how are you doing? Thanks for having me. How are you doing? Corey: Not dead yet. So, we take what we can get sometimes. At a very high level, what is that thing?
Michael: Sure. And the cloud-native part, Sysdig specializes in cloud and containers, so we really wanted to focus in on those areas when we were making this threat report, which talks about, you know, some of the common threats and attacks we were seeing over the past year, and we just wanted to let people know what they are and how they protect themselves.
And invariably, they paint a very dire picture of the internet about become cascading down. Click here to set up a meeting with us. This does absolutely none of that. Michael: We definitely went into that on purpose. And hopefully, the person reading it finds a good way to do it. But I want to highlight a few things that leapt out to me that I find interesting.
Who was behind this? Michael: Yeah, it was a pretty big team effort across several departments. But mostly, it came to the Sysdig threat research team. So, we have machine learning people, data scientists, data engineers, former pen-testers and red team, a lot of blue team people, people from the NSA, people from other government agencies as well.
So, we try to get perspectives on how these threats are viewed by multiple areas, not just Silicon Valley, and express fixes that appeal to them, too. Mine Bitcoin and other various cryptocurrencies. Which is entirely possible. We also think it just one person, actually, and they are very prolific.
So, they were pretty hard to get that platinum support package because they are everywhere. This is a common failure mode that we all have. And oh, my God, we now have a number and a ratio, and I can talk intelligently and sound four times smarter. So, ignoring anything else in this entire report, congratulations, you have successfully turned this into what is beginning to become a talking point of mine.
Value unlocked. Good work. Tell me more. Michael: Oh, thank you. Cryptomining is kind of like viruses in the old on-prem environment. Normally it just cleaned up and never thought of again; the antivirus software does its thing, life goes on. And I think cryptominers are kind of treated like that. So, a lot of people generally just think of as a nuisance, as I said. And, you know, as you mentioned, it really puts it into view of what it could cost you by not taking it seriously.
And that number can scale very quickly, just like your cloud environment can scale very quickly. Corey: They say this cloud scales infinitely and that is not true. Secondly, it scales, but there is an inherent limit, which is your budget, on some level. I promise they can add hard drives to S3 faster than you can stuff data into it.
Very reasonable. That carries us surprisingly far. Yeah, you dropped a whole bunch of zeros off the end of that. Here you go. And as AWS spins up more and more regions and as they spin up more and more services, the ability to exploit this becomes greater and greater.
This problem is not getting better, it is only getting worse, by a lot. Michael: Oh, yeah, absolutely. And I feel really bad for those students who do have that happen to them. Michael: Yeah, it really does scare people off of that. Now, some cloud providers try to offer more proactive protections against this, try to shut down instances really quick.
And setting those up is critical for everybody. Until you affirmatively upgrade your account to chargeable, they will not charge you a penny. They do have warnings plastered on the site, as they should, that until you upgrade your account, do understand that if you exceed a threshold, we will stop serving traffic, we will stop servicing your workload. It all depends on how people set it up. Because you talk about focusing specifically on cloud and containers as a company, which puts you in a position to be authoritative on this.
But I was also highlighting very clearly that every one of those containers running in a service could be mining cryptocurrency. Corey: Restricting the permissions that anything has in your cloud environment is important. It is the access to things in the account. There are datasets that are far more damaging and valuable about that. The worst sleep I ever had in my career came during a very brief stint I had about 12 years ago when I was the director of TechOps at Grindr, the gay dating site.
At that scenario, if that data had been breached, people could very well have died. They live in countries where that winds up not being something that is allowed, or their family now winds up shunning them and whatnot. Michael: Yeah. I guess the interesting part is, data requires a lot of work to do something with for a lot of attackers. Like you said, people, they rebuild things and ask AWS for credit, or whoever, and move on with their lives. But again, I am not primarily in the security space.
What do you see in that area? Now, the reasoning? Break it down for me. What are you seeing? So, containers are very fun because, you know, you can define things as code about what gets put on it, and they become so popular that sharing sites have popped up, like Docker Hub and other public registries, where you can easily share your container, it has everything built, set up, so other people can use it.
But you know, attackers have kind of taken notice of this, too. But instead, they may try to see theirs and links and things like that to entice people to use theirs instead. So, we see quite a bit of these containers in Docker Hub. So yeah, we see a lot of—and embedded credentials and other big part that we see in these containers. That could be an organizational issue, like just a leaked credential, but you can put malicious credentials into Docker files, to0, like, say an SSH private key that, you know, if they start this up, the attacker can now just log—SSH in.
So, you have to be really careful. And the demos that I did on that were, well, this was fun and great, but it was really annoying resetting them every time I gave the talk, so I stuffed them all into a Docker image and then pushed that up to Docker Hub.
It was awesome. And you see that again, and again, and again. So, I mean, to protect yourself, it really becomes about, like, you know, you can do the static scanning of it, looking for bad strings in it or bad version numbers for vulnerabilities, but it really comes down to runtime analysis.
At some point, you have to trust some product or some foundation to have done the right thing. And we saw a lot of that with the Russian-Ukrainian conflict this year. Containers were released that were preloaded with denial-of-service software that automatically collected target lists from, I think, GitHub they were hosted on. So, all a user to get involved had to do was really just get the container and run it.
And they could also use this to put on a botnet or if they compromise an organization, they could spin up at all these instances with that Docker container on it. And now that company is implicated in that cyber war. So, they can also be used for evil. And I understand the desire to do that, truly I do. I am no Russian apologist. It really sets a lot of stuff back. It still erodes trust. Michael: Especially it erodes trust throughout open-source.
Red Hat seems trustworthy and reliable. I do want to call out something here that it might be easy to get the wrong idea from the summary that we just gave. And I never did. Nothing in this entire report even hints in that direction. Michael: Was it you never got to it, or, uh—Corey: Oh, no. And simultaneously I want to say—I want to just point that out because that is laudable. At the same time, I am deeply and bitterly resentful that that even is laudable. That should be the common state.
I just want to call that out is doing the right thing. Michael: Thank you. Yeah, it was actually a big topic about how we should broach this. But we have a good data point on right after it started, there was a huge spike in denial-of-service installs. And that we have a bunch of data collection technology, honeypots and other things, and we saw the day after cryptomining started going down and denial-of-service installs started going up.
So, it was just interesting how that community changed their behaviors, at least for a time, to participate in whatever you want to call it, the hacktivism. But these events can cause big changes in the hacktivism community. You suddenly have enormous piles of money—from their perspective—sitting there relatively unguarded. Michael: Right. Like before, you had to get something on your PC. You had to download something. Things like that will make it game over or your account gets compromised and big bills get run up.
Corey: Ugh. What exactly, at a high level, is it that Sysdig does? Like, how would you describe that in an elevator without sabotaging the elevator for 45 minutes to explain it in depth to someone? Michael: So, I would describe it as threat detection and response for cloud containers and workloads in general. Which is it? It feels like security people selling to security people, on some level. Michael: I was a Gartner analyst. Oh… that would do it then.
Michael: No. Michael: So, I have no idea [laugh]. The only thing I really understand is: detection and response is a very clear detect things and respond to things. How did we not know this was coming? Corey: I really want to thank you for taking the time to go through the findings of the report for me.
I had skimmed it before we spoke, but talking to you about this in significantly more depth, every time I start going to cite something from it, I find myself coming away more impressed. This is now actively going on my calendar to see what the version looks like. If people want to download a copy of the report for themselves, where should they go to do that?
Michael: They could just go to sysdig. And thank you for having me. Corey: No, thank you for coming. Thanks for taking so much time to go through this, and thanks for keeping it to the high road, which I did not expect to discover because no one ever seems to. I really appreciate it. Michael: Thanks. Have a great day. He is surprisingly passionate about feature flags and continuous configuration.
He lives in the Washington DC area with his wife, 3 kids, and 2 incontinent dogs. That'd be pretty sweet, wouldn't it? With tail scale, ssh, you can do exactly that. Tail scale gives each server and user device a node key to connect to its VPN, and it uses the same node key to authorize and authenticate. Basically you're SSHing the same way you manage access to your app. What's the benefit here? Built in key rotation permissions is code connectivity between any two devices, reduce latency and there's a lot more, but there's a time limit here.
You can also ask users to reauthenticate for that extra bit of security. Sounds expensive? Nope, I wish it were. Completely free for personal use on up to 20 devices. To learn more, visit snark. Again, that's snark. This is a promoted guest episode.
What does that mean? Paying me is absolutely a behavior I wish to endorse. Steve, thank you for joining me. Steve: Hey, Corey, great to see you. Looking forward to a conversation. Corey: As am I. Systems Manager has, I think, 17 different features associated with it. Corey: Oh, I absolutely am. It aligns with how I tend to think about the world in a bunch of different ways. I have yet to see anything lurking within the Systems Manager umbrella that has led to a tee-hee-hee bill surprise level that rivals, you know, the GDP of Guam.
But yes, how did AppConfig get its name? Steve: [laugh]. So, AppConfig started about six years ago, now, internally. So, we actually were part of the region services department inside of Amazon, which is in charge of launching new services around the world.
We found that a centralized tool for configuration associated with each service launching was really helpful. So, a service might be launching in a new region and have to enable and disable things as it moved along. And so, the tool was sort of built for that, turning on and off things as the region developed and was ready to launch publicly; then the regions launch publicly. It turned out that our internal customers, which are a lot of AWS services and then some Amazon services as well, started to use us beyond launching new regions, and started to use us for feature flagging.
Again, turning on and off capabilities, launching things safely. And so, it became massively popular; we were actually a top 30 service internally in terms of usage. And so, it became AppConfig. And as part of its excellent response that AWS put out, they said that from the time that it was disclosed to them, they had patched the service and rolled it out to every AWS region in which Glue existed in a little under 29 hours, which at scale is absolutely magic fast.
I mean, look at who your customers are; mistakes will show. That is far faster than even the improved speed of CloudFront distribution updates. Steve: Yes, a lot of that is us. And I can talk generically about feature flagging. And that code can be sitting out there, nobody can access it until somebody flips that toggle.
Now, the smart way to do it is to flip that toggle on for a small set of users. You want to make sure that on production, it behaves the way you expect it to behave. Because to my mind, one of them is a means of achieving the other, but I could also see very easily using the terms interchangeably. Given that in some of our conversations, you have corrected me which, first, how dare you? What is that point of distinction? Steve: Yeah.
Typically for those that are not eat, sleep, and breathing dynamic configuration—which I do—and most people are not obsessed with this kind of thing, feature flags is kind of a shorthand for dynamic configuration. It allows you to turn on and off things without pushing out any new code.
So, dynamic configuration is maybe a superset of feature flags. But in a period of stress, you might want to actually bring that number down. Well, you can push out these changes with dynamic configuration—which is, again, any type of configuration, not just an on-off switch—you can push this out and adjust the behavior and see what happens. But it allows you to have these dials and switches to do that. Corey: Which makes a fair bit of sense. Steve: Yep. And that makes an awful lot of sense.
The idea of rolling out changes to your infrastructure has evolved over the last decade. And that worked out well. How do feature flags feature into those, I guess, three evolving methods of running applications in anger, by which I mean, of course, production? Good question.
And I think you really articulated that well. Corey: Well, thank you. I should hope so. At least I fancy myself one. Yes, you are. And so, it became a pattern. We can separate the deployment from code from the deployment of configuration data, and have the code be reading that configuration data on a regular interval, as I already said. So now, as the environments have changed—like you said, containers and Lambda—that ability to make tweaks at microsecond intervals is more important and more powerful.
So, there certainly is still value in having things like environment variables that get read at startup. We call that static configuration as opposed to dynamic configuration. Containers are a bit ephemeral, and so they kind of come and go, and you can restart things, or you might spin up new containers that are slightly different config and have them operate in a certain way.
And again, Lambda takes that to the next level. That makes it really tough to debug. So, you want to think of this as I want to roll this out gradually over time, but eventually, you want to have this sort of state where everything is somewhat consistent. A common reference I make is to my lasttweetinaws.
And anyone can visit it, use it however they want. Now, if this were a paid service, or I had people using this in large volume and I had to worry about that sort of thing, I would probably approach something that is very close to what you describe. And when that works the way I want it to I then just push it to everything else automatically.
Would you agree with that, or is this something everyone should use? Steve: I would agree with that. And so, feature flags do help with that. So typically, the journey we see is people start off in a maybe very small startup. Oh, my gosh, this is great. I can release something when I want without doing a big code push. I can just do a small little change, and if something goes wrong, I can roll it back instantly. And so, the basics of feature flagging might be a homegrown solution that you all have built.
A lot of them are around safeguards that makes sure that releasing a new feature is safe. You know, again, pushing out a new feature to everybody could be similar to pushing out untested code to production. It really depends—to get back to your question about who needs feature flags—it depends on your audience size. When it was first announced, feature flags were one of the things that it did. Like, did I hallucinate this? What changed? What was it that was misunderstood about the service initially versus what it became?
I think what happened was we launched it, guessing what our customers were going to use it as. We had done plenty of research on that, and as I mentioned before we had—Corey: Please tell me someone used it as a database. Or am I the only nutter that does stuff like that? Steve: We have seen that before. We have seen something like that before. Corey: Excellent. Excellent, excellent. I approve. Steve: And so, we had done our due diligence ahead of time about how we thought people were going to use it.
We were right about a lot of it. I mentioned before that we have a lot of usage internally, so you know, that was kind of maybe cheating even for us to be able to sort of see how this is going to evolve. What we did announce, I guess it was last November, was an opinionated version of feature flags. So, we had people using us for feature flags, but they were building their own structure, their own JSON, and there was not a dedicated console experience for feature flags.
What we announced last November was an opinionated version that structured the JSON in a way that we think is the right way, and that afforded us the ability to have a smooth console experience. So, if we know what the structure of the JSON is, we can have things like toggles and validations in there that really specifically look at some of the data points. You can change configuration however your little heart desires.
In most cases. Usually something homebuilt. And it might very well be you have the exact same biggest competitor that I do in my consulting work, which is of course, Microsoft Excel as people try to build their own thing that works in their own way. Steve: Yeah, so definitely a very common customer of ours is somebody that is using a homegrown solution for turning on and off things.
The second time. I can build something like that in a weekend. And by the time that they figure out why, they have to backtrack significantly. What inspired you to do that? Steve: Absolutely, absolutely. What are the benefits that accrue and are felt immediately? So, we kind of have a policy that the very first commit of any new feature ought to be the feature flag.
But you can have your code there, it reads whether that configuration is on or off. You start with it off. And so, it really helps just while developing these things about keeping your branches short. And you can push the mainline, as long as the feature flag is off and the feature is hidden to production, which is great. So, that helps with the mess of doing big code merges. The other part is around the launch of a feature. So, you talked about Andy Jassy being on stage to launch a new feature.
Sort of the old way of doing this, Corey, was that you would need to look at your pipelines and see how long it might take for you to push out your code with any sort of code change in it.
After disabling all programs, close Task Manager and click OK. Afterward, you can restart the computer to check to see if the error has been fixed. When you encounter the Cryptographic Services issue, you can try installing the latest Windows updates. Step 1: Right-click the Start menu and choose Settings. Step 3: Under the Windows Update section, click the Check for updates button to check if there are any new updates.
Then Windows will search for available updates. Just follow the on-screen instructions to finish the process. To do that, you can follow the steps. This process controls how many of the cryptocurrencies from the global market are represented on our site. What Is an Altcoin?
The very first cryptocurrency was Bitcoin. Since it is open source, it is possible for other people to use the majority of the code, make a few changes and then launch their own separate currency. Many people have done exactly this. Some of these coins are very similar to Bitcoin, with just one or two amended features such as Litecoin , while others are very different, with varying models of security, issuance and governance.
However, they all share the same moniker — every coin issued after Bitcoin is considered to be an altcoin. What Is an ICO? ICO stands for initial coin offering. Many of the smaller projects in the crypto space — and a few of the largest ones — raised money from private investors around the world in the crypto equivalent of a crowdfunding campaign.
Investors would send funds — usually in the form of Bitcoin — to the project and receive coin or tokens in return. In , the United States Securities and Exchange Commission SEC clarified their rules relating to fundraising for assets, which made it much harder for new cryptocurrency projects to issue their own tokens in this way. What Is a Stablecoin? Price volatility has long been one of the features of the cryptocurrency market.
When asset prices move quickly in either direction and the market itself is relatively thin, it can sometimes be difficult to conduct transactions as might be needed. To overcome this problem, a new type of cryptocurrency tied in value to existing currencies — ranging from the U. These new cryptocurrency are known as stablecoins, and they can be used for a multitude of purposes due to their stability.
What Are In-game Tokens? Play-to-earn P2E games, also known as GameFi , has emerged as an extremely popular category in the crypto space. It combines non-fungible tokens NFT , in-game crypto tokens, decentralized finance DeFi elements and sometimes even metaverse applications. Players have an opportunity to generate revenue by giving their time and sometimes capital and playing these games.
This game was extremely popular in developing countries like The Philippines, due to the decent income they can earn.